2.3 KiB
CVE-2024-56786
Description
In the Linux kernel, the following vulnerability has been resolved:bpf: put bpf_link's program when link is safe to be deallocatedIn general, BPF link's underlying BPF program should be considered to bereachable through attach hook -> link -> prog chain, and, pessimistically,we have to assume that as long as link's memory is not safe to free,attach hook's code might hold a pointer to BPF program and use it.As such, it's not (generally) correct to put link's program early beforewaiting for RCU GPs to go through. More eager bpf_prog_put() that wecurrently do is mostly correct due to BPF program's release code doingsimilar RCU GP waiting, but as will be shown in the following patches,BPF program can be non-sleepable (and, thus, reliant on only "classic"RCU GP), while BPF link's attach hook can have sleepable semantics andneeds to be protected by RCU Tasks Trace, and for such cases BPF linkhas to go through RCU Tasks Trace + "classic" RCU GPs before beingdeallocated. And so, if we put BPF program early, we might free BPFprogram before we free BPF link, leading to use-after-free situation.So, this patch defers bpf_prog_put() until we are ready to performbpf_link's deallocation. At worst, this delays BPF program freeing byone extra RCU GP, but that seems completely acceptable. Alternatively,we'd need more elaborate ways to determine BPF hook, BPF link, and BPFprogram lifetimes, and how they relate to each other, which seems likean unnecessary complication.Note, for most BPF links we still will perform eager bpf_prog_put() andlink dealloc, so for those BPF links there are no observable changeswhatsoever. Only BPF links that use deferred dealloc might noticeslightly delayed freeing of BPF programs.Also, to reduce code and logic duplication, extract program put + linkdealloc logic into bpf_link_dealloc() helper.
POC
Reference
No PoCs from references.